[unisog] determining versions of SSL

Rich Graves rcgraves at brandeis.edu
Tue Sep 17 18:27:37 GMT 2002


Nessus 1.2 includes an active generic openssl vulnerability scan that works
and appears harmless (even to chronically fragile HP printers).

http://cgi.nessus.org/plugins/dump.php3?id=11060

Remember that the problem is fundamental to OpenSSL, not Apache. You should
also be worrying about TCP ports 993, 995, 636, 25, 587, 465...

The first of our two compromises was late on the 11th, at which point 
our branch of the ddos network had some 3,000 hosts on it. UConn wins.

Btw, we think we've found a third-party Windows POP/IMAP server that was
built with a vulnerable version of OpenSSL. Awaiting vendor response. 
Old versions of OpenSSL are embedded in lots of things.
-- 
Rich Graves <rcgraves at brandeis.edu>
UNet Systems Administrator



More information about the unisog mailing list